Description
Teleport 12 brings the following marquee features and improvements:
- Device Trust (Preview, Enterprise only)
- Passwordless Windows access for local users (Preview, Enterprise only)
- Per-pod RBAC for Kubernetes Access (Preview)
- Azure and GCP CLI support for Application Access (Preview)
- Support for more databases in Database Access:
- AWS DynamoDB
- AWS Redshift Serverless
- AWS RDS Proxy for PostgreSQL/MySQL
- Azure SQLServer Auto Discovery
- Azure Flexible Servers
- Refactored Helm charts (Preview)
- Dropped support for SHA1 in Server Access
- Signed/notarized macOS binaries
Device Trust (Preview, Enterprise only)
Teleport 12 includes a preview of our upcoming Device Trust feature, which
allows administrators to require that Teleport access is performed from an
authenticated and trusted device.
This preview release requires macOS and a native client like tsh or Teleport
Connect. These clients leverage the Secure Enclave on macOS to solve device
challenges issued by the Teleport CA, proving their identity as a trusted
device.
Teleport features requiring the web UI (Desktop Access, Application Access) are
not currently supported.
Passwordless Windows Access for Local Users (Preview, Enterprise only)
Teleport 12 brings passwordless certificate-based authentication to Windows
desktops in environments where Active Directory is not available. This feature
requires the installation of a Teleport package on each Windows desktop.
Per-pod RBAC for Kubernetes Access (Preview)
Teleport 12 extends RBAC to support controlling access to individual pods in
Kubernetes clusters. Pod RBAC integrates with existing Teleport RBAC features
such as role templating and access requests.
Azure and GCP CLI support for Application Access (Preview)
In Teleport 12 administrators can interact with Azure and GCP APIs through
Application Access using tsh az and tsh gcloud CLI commands, or using
standard az and gcloud tools through the local application proxy.
Support for more databases in Database Access
Database Access in Teleport 12 brings a number of new integrations to AWS-hosted
databases such as DynamoDB (now with audit log support), Redshift Serverless and
RDS Proxy for PostgreSQL/MySQL.
On Azure, Database Access adds SQLServer auto-discovery and support for Azure
Flexible Server for PostgreSQL/MySQL.
Refactored Helm charts (Preview)
The “teleport-cluster” Helm chart underwent significant refactoring in Teleport
12 to provide better scalability and UX. Proxy and Auth are now separate
deployments and the new “scratch” chart mode makes it easier to provide a custom
Teleport config.
“Custom” mode users should follow the migration guide:
https://goteleport.com/docs/ver/12.x/deploy-a-cluster/helm-deployments/migration-v12/
Dropped support for SHA1 in Server Access
Newer OpenSSH clients connecting to Teleport 12 clusters no longer need the
“PubAcceptedKeyTypes” workaround to include the deprecated “sha” algorithm.
Signed/notarized macOS binaries
Users who download Teleport 12 Darwin binaries would no longer get an untrusted
software warning from macOS.
tctl edit
tctl now supports an edit subcommand, allowing you to edit resources directly in
your preferred text editor.
Breaking Changes
Please familiarize yourself with the following potentially disruptive changes in
Teleport 12 before upgrading.
Helm charts
The teleport-cluster Helm chart underwent significant changes in Teleport 12. To
upgrade from an older version of the Helm chart deployed in “custom” mode, use
the following migration guide:
https://goteleport.com/docs/ver/12.x/deploy-a-cluster/helm-deployments/migration-v12/
Additionally, PSPs are removed from the chart when installing on Kubernetes 1.23
and higher to account for the deprecation/removal of PSPs by Kubernetes.
tctl auth export
The tctl auth export command only exports the private key when passing the
--keys flag. Previously it would output the certificate and private key
together.
Desktop Access
Windows Desktop sessions disable the wallpaper by default, improving
performance. To restore the previous behavior, add show_desktop_wallpaper: true
to your windows_desktop_service config.
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.